Deploy & Setup Server management tools


Server management tools is a new Azure service. To get started, you will need an Azure subscription. If you don’t already have an Azure subscription, check out this link on how to set one up. Once you have the subscription set up, log in to the Azure portal. After logging in successfully, look for Server management tools (SMT) in the Marketplace.

SMT marketplace

 

In order to use SMT, you will need to install a gateway in your environment. The gateway setup is part of the same flow as creating the SMT connection to your target server. Clicking on Create at this step will open up the Create blade (as shown below) where you will be prompted to enter details for the machine that you want to manage as well as create a gateway resource. Therefore, you will be creating two Azure resources: Server management tools connection and Server management tools gateway. The various fields of the form are explained below.

create blade

 

Computer name: This is the name of the machine that you want to manage as well as the name of the Server management tools connection resource. A resource is something you provision in your Azure subscription and always belongs to a Resource group. In our case the computer name is also the SMT resource name. Since the resource name is a computer name, it can either be the FQDN, NetBIOS name or the IP address for the machine. In the example above, I am using “TRNano” which is the NetBIOS name of my VM in Azure.

Subscription: The SMT connection and the gateway will be associated with the Azure subscription that you choose here. Check out this blog for more details on subscriptions.

Resource group: A resource group is a logical grouping of resources that supports a particular application or workload. For example, you may want to create SMT connections for all your File Server machines in a single resource group. You could also expand the logical grouping to say all your servers in Seattle are under a single resource group.

Location: This is the region where your resources will be hosted in Azure.

Server management tools gateway: This is the machine that will act as a proxy between the Azure portal and the machines you want to manage. SMT connection and gateway must be under the same subscription and resource group and also in the same location (Azure region).

SMT gateway setup is a two-step process –

  1. Create the gateway resource in Azure
  2. Install the gateway software on the machine that you designate as your gateway

Step 1: Create the gateway resource in Azure

  1. In the Create form above, specify a name for the SMT gateway. This can by a friendly name, such as “Seattle servers", or the FQDN, NetBios name or the IP address of the server you will install the gateway software on. I am using “TRGateway” in this setup process.
  2. After filling out all the fields in the form, click on Create. This will kick off the deployment of the two SMT resources – connection and gateway – in Azure. Assuming you checked the “Pin to dashboard” option in the Create form, a tile will appear on the dashboard (used below). You can click on it to monitor the deployment of the resources.deploying image
  3. After the deployment is successful, navigate to the resource blade for the new SMT connection to TRNano. You will notice an orange notification saying “Gateway not detected…”. Click on the notification and follow the instructions to set up the gateway software on a server.

gateway not detected

 

Step 2: Install the gateway software on the machine that you designate as your gateway

  1. Clicking on the orange notification will open the gateway blade where you can click on the blue notification for next steps. Read the details on the Gateway configuration blade.configure gateway
  2. As an online service, SMT is evolving and may require updates to the gateway software for optimal operation. On the configuration blade, you can opt in to let the service automatically update your gateway or you can choose to control the updates and select the Manual option.
  3. Then click on Generate a package link. Copy this link. You will need to access this link from the server where you will be installing the gateway.
  4. Log in to the server on which you want to install the SMT gateway. This can be a Windows Server 2016 or a 2012R2 machine. The SMT gateway is currently not supported on a Nano server.
  5. Open a browser and navigate to the link you generated above.
  6. You will be prompted to Open or Save a zip file. Save the file to the desired location and unzip the contents.
  7. Run the GatewayService MSI by double clicking on it.MSI1
  8. Walk through the steps in the MSI.
  9. During the installation process, you will be prompted to create a self-signed certificate or provide an existing certificate on the computer. The certificate will be used to encrypt your credentials and we will explain this later in this post.MSI2The following components are also changed as part of the gateway software installation:
    • Gateway software binaries are added to Program Files\ServerManagementToolsGateway
    • Two new Windows services, ServerManagementToolsGateway and ServerManagementToolsUpdate, are installed on the system
    • A registry key is created

    No other ports or firewall rules are modified to support the SMT gateway.

  10. Continue to the next step and wait for the gateway installation to complete.

At this point SMT gateway is successfully installed and configured. You can now go back to the Azure portal and start managing the TRNano machine. You can also follow the same steps to configure the gateway on an Azure VM and manage your VMs in Azure.

If you navigate to the gateway blade, you will see gateway status as well as the list of machines associated with this gateway. In this case, I only have TRNano.

gateway blade

If you navigate to the TRNano connection blade, you will be required to enter the credentials.

enter creds

Here you have the option to save the credentials. If you decide to do so, the credentials are encrypted using the certificate you generated as part of the gateway setup and stored in Azure. The credentials are encrypted using standard AES encryption and the certificate is always stored on the SMT gateway. The encrypted credentials are decrypted by the SMT gateway and used to process all management requests on the target machine. Even though the credentials are securely stored in Azure, the certificate provides an additional level of security because only your gateway can decrypt the stored credentials since only your gateway has the certificate.

If the credentials you entered have the permissions to access the machine, you should start to see some performance metrics for the target server and you can continue to remotely manage it.

main smt blade

 

If GUI is not your preferred way of installation, check out the wiki article published by one our MVPs, Ryen Kia Zhi Tang, on how to use PowerShell to get started. The article also talks about configuring SMT to manage Azure VMs.

Try it today!

Hope you found this post helpful. If you have any issues with gateway setup or getting started with Server management tools, please let us know by posting comments below. You can also use the feedback button in the Azure portal or submit your ideas and suggestions on our UserVoice forum. You may also follow us on Twitter. We look forward to you trying out the new capabilities and continuing to provide valuable feedback to make the service better. If you have any issues while using the service, check out the Troubleshooting guide to quickly identify and resolve the problem.

Comments (15)

  1. Tom says:

    Great article!
    I followed the instructions but when I execute the gateway MSI on an Azure Windows Server 2016 VM, I got an error saying :
    'To install this software you must be running Windows Server 2012 R2 or later'.
    Any ideas?
    Thanks!

    1. Hi Tom! Any chance you are installing the gateway MSI on a domain controller? Obviously the error message is incorrect, but we prevent the gateway from being installed on DCs to be in-line with security best practices which recommend that DCs should be as locked down as possible, and ideally not even be internet-connected: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
      We're working on a fix for the error message that should be released pretty soon. Let me know if you still have any problems!
      -Daniel

  2. Pierre says:

    Too bad you're not supporting Nano Server (best use case for SMT) and still publishing MSI packages.
    WSA has been announced almost a year ago and I still haven't seen any product released that takes advantage of it.
    https://blogs.technet.microsoft.com/nanoserver/2015/11/18/installing-windows-server-apps-on-nano-server/
    Who's going to provide WSAs if you don't?
    Dogfooding guys, dogfooding.

    1. Hi Pierre! SMT preview was released before WS2016 TP5, so we knew customers would be asking for the gateway to be supported on WS2012R2 and therefore had to choose MSI as the higher priority at the time. However, now that WS2016 is generally available, we're working on supporting the gateway service on Nano Server and this will obviously be using WSA.

  3. RichardP says:

    I have my gateway server up and running but how do I add more server on the same network?

    1. Hi, sorry for the late reply! You need to go to the "Create Server management tools connection" page in Azure and specify the server you're trying to add. You can use an existing gateway server as long as the server and gateway can talk to each other. You can reach the "Create Server management tools connection" page via this link: https://ms.portal.azure.com/#create/Microsoft.RSMTNodes, or go to the "Server management tools connections" list page and click on the "Add" command button at the top.

  4. as says:

    How can I add a server to be managed by SMT using server's public IP (not private, as the server is not on the same network as the SMT gateway server)? Can I have Linux servers added too - how? What if the servers managed by SMT each have a different set of credentials - can the management interface in Azure allow me to establish credentials per server so I can smoothly switch between them.

    1. Hopefully this helps, but let me know if you have any further questions!
      - Adding server with public IP: When creating a new SMT connection via https://ms.portal.azure.com/#create/Microsoft.RSMTNodes, specify the server's public IP in the "Computer name" field. Whatever you type into this field (IP address, NetBIOS name or FQDN) is what is used to connect to the target machine and establish a WinRM connection. WinRM connection across different networks can be tricky - please see the "I can't connect to a server" section in our Troubleshooting Guide (https://blogs.technet.microsoft.com/servermanagement/2016/07/20/troubleshooting-problems-with-server-management-tools/) and make sure you have the Trusted Hosts, admin account and firewall configured properly.
      - Linux management: This is something we're considering in the future, but currently we're focusing on full management of Windows Server.
      - Different credentials for servers: You can specify different credentials in the "Manage as" UI for each server in the Azure portal. If you choose to save credentials, we'll encrypt and save the credentials for each server separately.

  5. Brent Evans says:

    Trying to do a POC with Gateway on Windows Server 2016 DC with build 14393.693. Gateway is not connecting to any targeted servers -- all Win 2016 with same build. Event logs (ServerManagementTools) on Gateway indicate "Cannot find the feature with the name 'cim' (and 'downlevelsupport'). What am I missing?

    1. Hi Brent! This is due to a recently expired cert in the gateway service and we're working on releasing a gateway update ASAP. You can follow us on Twitter (@servermgmt) for updates on this issue. Sorry for the inconvenience!

    2. Hi Brent, we just released a gateway update that fixes this problem. If your gateway is configured to auto-update (which is the default), it should be updated to version 1.0.1889.0 within 30 minutes. See the link below for more options on updating your gateway and let us know if you still have any problems.
      https://blogs.technet.microsoft.com/servermanagement/2016/07/20/troubleshooting-problems-with-server-management-tools/#update_gateway

      1. Brent Evans says:

        Daniel -- you the man. That was fast. I removed the gateway after having problems. I'll give it a whirl sometime today. I'm personally pretty excited about this concept. I have factory OT customers that can really benefit from this.

        I'll post back after trying it out.

        Thanks!!

  6. Brent Evans says:

    Daniel -- I got it deployed again and spent little bit of time playing. Works great -- just perhaps not as responsive (initially) what I might like. So any plans to be able to do more with Roles and Features -- such as what you might do through Server Manager for an RDS deployment?

  7. Dow says:

    would have been nice if the ports being used by the gateway were included

  8. David Morgan says:

    Is there a method for adding multiple servers. Adding them one at a time is really inconvenient. Would be great to have some type of import method like there is in the server OS' Server Manager; from AD, from DNS, from file, etc.

Skip to main content